Nginx combined with multiple sets of puppet implementations (APACH+FORMAN+PUPPT)

Nginx combined with multiple sets of puppet implementations (APACH+FORMAN+PUPPT)

This case is a multi-set puppet server (Puppet+apache+foreman+foreman-proxy) system, using Nginx load balancer to realize the unified service function. The use of Puppet+apache+foreman+foreman-proxy configuration and Nginx+puppet configuration and other content can refer to my previous related articles.

Here are 2 sets for example, and their information is as follows:

Software information: Centos6.5 x86_64,puppet3.8.3,foreman1.9.2,foreman-proxy1.9.2

Where the master Master side is installed with nginx1.4.7

Domain name:

Master1:www.master1.com

Master2:www.master2.com

Here the main puppet server Master1 do not need to make changes, just configure the Nginx auxiliary equalization, here mainly modify the auxiliary puppet server Master2.

The auxiliary puppet service-side Master2 is modified as follows:

First, modify the puppet configuration

1.1 Modifying puppet.conf

[Main]

#采用master1的证书域名

CertName = www.master1.com

#关闭master2的证书认证功能

CA = False

1.2 Modifying Forema.yaml

Use the following information for Master1

: URL: "Www.master1.com"

: Ssl_ca: "/var/lib/puppet/ssl/ca/ca_crt.pem"

: Ssl_cert: "/var/lib/puppet/ssl/certs/www.master1.com.pem"

: Ssl_key: "/var/lib/puppet/ssl/private_keys/www.master1.com.pem"

1.3 Unified Configuration

Replace the following files under/etc/puppet/:

Copy Master1 fileserver.conf, auth.conf, autosign.conf to Master2 in the corresponding position;

Copy the Master1 manifests file to the corresponding location in Master2;

Copy the Master1 modules file to the corresponding location in Master2;

Note: If you use the Enviroments folder to store different environments, you can also copy the folder. If the later documents are changed, they should be synchronized with the Master1 in time.

1.4 Unified Certificate

Copy the/var/lib/puppet/folder of Master1 to the corresponding location in Master2;

Note: If the later files are changed, you should synchronize with Master1 in time.

Second, modify the Apache configuration

2.1 Disable 80 and 443 ports, leaving only the puppet service port

Vim/etc/httpd/conf/port.conf

#Listen 443

#Listen 80

#NameVirtuaHost *:443

#NameVirtuaHost *:80

2.2 Renaming foreman related profiles in Apache so that they are not enabled

Cd/etc/httpd/conf.d

#mv 05-foreman.conf 05-foreman.conf_bak

#mv 05-foreman-ssl.conf 05-foreman-ssl.conf_bak

#mv 15-default.conf 15-default.conf_bak

Third, close the related services

3.1 Close Foreman Service

#service Foreman Stop

#chkconfig Foreman off

3.2 Close Foreman-proxy Service

#service Foreman-proxy Stop

#chkconfig Foreman-proxy off

Iv. Modify the Nginx configuration in Master1

Because the auxiliary puppet namely Master2 disables the certificate to issue the function, therefore uses the certificate request and the issuance must have the main puppet namely Master1 to implement, therefore, we want to the new client's certificate request and the request which the issue uses to filter, So that they can only access the main puppet that is Master1.

Add the following configuration to the configured Nginx load Balancer Server configuration:

#vim/usr/local/nginx/conf/nginx.conf

Location ~*/product/{certification|certificate_request|certificate_revocation_list} {

#设置跳转到主puppet即master1中申请证书

Proxy_pass https://127.0.0.1:8140;

Proxy_redirect off;

Proxy_set_header Host $host;

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

Proxy_set_header x-client-verify $ssl _client_verify;

Proxy_set_header x-ssl-subject $ssl _client_s_dn;

Proxy_set_header X-ssl-issuer $ssl _client_i_dn;

}

Five, start the service

1. Start the Apache service in Master2

#service httpd Restart

2. Start all related services in Master1

#service foreman-proxy Restart

#service httpd Restart

#/usr/local/nginx/sbin/nginx

3. Test with a client connection

To test the effect, each puppet service connection can be opened in Nginx to verify that each puppet service is healthy.

If there are more than one set of the same, the configuration method is similar.

This article is from the "4699096" blog, please be sure to keep this source http://4709096.blog.51cto.com/4699096/1735470

Nginx combined with multiple sets of puppet implementations (APACH+FORMAN+PUPPT)